diff options
-rw-r--r-- | conf/CMakeLists.txt | 1 | ||||
-rw-r--r-- | conf/dbus/CMakeLists.txt | 28 | ||||
-rw-r--r-- | conf/dbus/afm-permissions-session.conf | 31 | ||||
-rw-r--r-- | conf/dbus/afm-permissions-system.conf | 58 | ||||
-rw-r--r-- | conf/system/CMakeLists.txt | 10 | ||||
-rw-r--r-- | conf/system/afm-system-setup.sh.in | 2 | ||||
-rw-r--r-- | conf/system/afm-user-setup.sh.in | 22 | ||||
-rw-r--r-- | conf/system/afm-user-setup@.service.in | 3 | ||||
l--------- | conf/system/user-runtime-dir@.service.wants/afm-user-setup@.service | 1 | ||||
-rw-r--r-- | conf/unit/afm-unit | 26 | ||||
-rw-r--r-- | conf/unit/binder.inc | 4 | ||||
-rw-r--r-- | conf/unit/macros.inc | 29 | ||||
-rw-r--r-- | conf/unit/provided-api-platform.inc | 85 | ||||
-rw-r--r-- | conf/unit/provided-api-user.inc (renamed from conf/unit/provided-api.inc) | 7 | ||||
-rw-r--r-- | conf/unit/provided-binding-platform.inc | 48 | ||||
-rw-r--r-- | conf/unit/provided-binding-user.inc (renamed from conf/unit/provided-binding.inc) | 4 | ||||
-rw-r--r-- | conf/unit/service.inc | 71 | ||||
-rw-r--r-- | docs/3-permissions.md | 8 |
18 files changed, 389 insertions, 49 deletions
diff --git a/conf/CMakeLists.txt b/conf/CMakeLists.txt index 47fe4ec..11b2beb 100644 --- a/conf/CMakeLists.txt +++ b/conf/CMakeLists.txt @@ -19,4 +19,5 @@ add_subdirectory(unit) add_subdirectory(system) add_subdirectory(user) +add_subdirectory(dbus) diff --git a/conf/dbus/CMakeLists.txt b/conf/dbus/CMakeLists.txt new file mode 100644 index 0000000..9946595 --- /dev/null +++ b/conf/dbus/CMakeLists.txt @@ -0,0 +1,28 @@ +########################################################################### +# Copyright (C) 2015-2019 IoT.bzh +# +# author: José Bollo <jose.bollo@iot.bzh> +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +########################################################################### + +cmake_minimum_required(VERSION 2.8) + +if(NOT USE_SDK) + set(SYSCONFDIR_DBUS_SYSTEM ${CMAKE_INSTALL_SYSCONFDIR}/dbus-1/system.d CACHE STRING "Path to dbus system configuration files") + set(SYSCONFDIR_DBUS_SESSION ${CMAKE_INSTALL_SYSCONFDIR}/dbus-1/session.d CACHE STRING "Path to dbus system configuration files") + + install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/afm-permissions-system.conf DESTINATION ${SYSCONFDIR_DBUS_SYSTEM}) + install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/afm-permissions-session.conf DESTINATION ${SYSCONFDIR_DBUS_SESSION}) +endif() + diff --git a/conf/dbus/afm-permissions-session.conf b/conf/dbus/afm-permissions-session.conf new file mode 100644 index 0000000..5dbfe2d --- /dev/null +++ b/conf/dbus/afm-permissions-session.conf @@ -0,0 +1,31 @@ +<?xml version="1.0"?> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> + +<!-- + This file is part of afm-main + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<busconfig> + <policy at_console="false"> + + <!-- any --> + <check send_destination="*" privilege="http://tizen.org/privilege/internal/dbus"/> + <check receive_sender="*" privilege="http://tizen.org/privilege/internal/dbus"/> + + </policy> +</busconfig> + + diff --git a/conf/dbus/afm-permissions-system.conf b/conf/dbus/afm-permissions-system.conf new file mode 100644 index 0000000..30f9a8f --- /dev/null +++ b/conf/dbus/afm-permissions-system.conf @@ -0,0 +1,58 @@ +<?xml version="1.0"?> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> + +<!-- + This file is part of afm-main + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<busconfig> + <policy at_console="false"> + + <!-- any --> + <check send_destination="*" privilege="http://tizen.org/privilege/internal/dbus"/> + <check receive_sender="*" privilege="http://tizen.org/privilege/internal/dbus"/> + + <!-- org.bluez --> + <check send_destination="org.bluez" privilege="http://tizen.org/privilege/internal/dbus"/> + <check receive_sender="org.bluez" privilege="http://tizen.org/privilege/internal/dbus"/> + + <!-- fi.w1.wpa_supplicant1 --> + <check send_destination="fi.w1.wpa_supplicant1" privilege="http://tizen.org/privilege/internal/dbus"/> + <check receive_sender="fi.w1.wpa_supplicant1" privilege="http://tizen.org/privilege/internal/dbus"/> + + <!-- org.ofono --> + <check send_destination="org.ofono" privilege="http://tizen.org/privilege/internal/dbus"/> + <check receive_sender="org.ofono" privilege="http://tizen.org/privilege/internal/dbus"/> + + <!-- org.freedesktop.GeoClue2 --> + <check send_destination="org.freedesktop.GeoClue2" privilege="http://tizen.org/privilege/internal/dbus"/> + <check receive_sender="org.freedesktop.GeoClue2" privilege="http://tizen.org/privilege/internal/dbus"/> + + <!-- org.neard --> + <check send_destination="org.neard" privilege="http://tizen.org/privilege/internal/dbus"/> + <check receive_sender="org.neard" privilege="http://tizen.org/privilege/internal/dbus"/> + + <!-- org.neardal --> + <check send_destination="org.neardal" privilege="http://tizen.org/privilege/internal/dbus"/> + <check receive_sender="org.neardal" privilege="http://tizen.org/privilege/internal/dbus"/> + + <!-- net.connman --> + <check send_destination="net.connman" privilege="http://tizen.org/privilege/internal/dbus"/> + <check receive_sender="net.connman" privilege="http://tizen.org/privilege/internal/dbus"/> + </policy> +</busconfig> + + diff --git a/conf/system/CMakeLists.txt b/conf/system/CMakeLists.txt index eba8d42..3cabd0c 100644 --- a/conf/system/CMakeLists.txt +++ b/conf/system/CMakeLists.txt @@ -18,6 +18,10 @@ cmake_minimum_required(VERSION 2.8) +if(AGL_DEVEL) + set(create_platform_debug "dodir ${afm_platform_rundir}/debug") +endif() + configure_file(afm-system-daemon.service.in afm-system-daemon.service) configure_file(afm-system-daemon.socket.in afm-system-daemon.socket) configure_file(afm-system-setup.service.in afm-system-setup.service) @@ -47,6 +51,12 @@ if(NOT USE_SDK) ${UNITDIR_SYSTEM} ) install( + DIRECTORY + ${CMAKE_CURRENT_SOURCE_DIR}/user-runtime-dir@.service.wants + DESTINATION + ${UNITDIR_SYSTEM} + ) + install( PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/afm-user-setup.sh ${CMAKE_CURRENT_BINARY_DIR}/afm-system-setup.sh diff --git a/conf/system/afm-system-setup.sh.in b/conf/system/afm-system-setup.sh.in index 2af411c..65e75ed 100644 --- a/conf/system/afm-system-setup.sh.in +++ b/conf/system/afm-system-setup.sh.in @@ -13,4 +13,4 @@ dodir $pdir dodir $pdir/display dodir $pdir/apis dodir $pdir/apis/ws - +@create_platform_debug@ diff --git a/conf/system/afm-user-setup.sh.in b/conf/system/afm-user-setup.sh.in index 24795ae..076676f 100644 --- a/conf/system/afm-user-setup.sh.in +++ b/conf/system/afm-user-setup.sh.in @@ -3,18 +3,28 @@ uid=$1 udir=/run/user/$uid -dodir() { +dodir_star() { if ! test -e $1; then mkdir -m 700 $1 chown $uid:$uid $1 - chsmack -a '*' $1 fi + chsmack -a '*' $1 } -dodir $udir -dodir $udir/apis -dodir $udir/apis/ws -dodir $udir/apis/link +dodir_star $udir +dodir_star $udir/apis +dodir_star $udir/apis/ws +dodir_star $udir/apis/link + +dodir_usrshr() { + if ! test -e $1; then + mkdir -m 700 $1 + chown $uid:$uid $1 + fi + chsmack -a User::App-Shared -t $1 +} + +dodir_usrshr $udir/usrshr doln() { if ! test -e $2; then diff --git a/conf/system/afm-user-setup@.service.in b/conf/system/afm-user-setup@.service.in index 86c0422..c1e4f1e 100644 --- a/conf/system/afm-user-setup@.service.in +++ b/conf/system/afm-user-setup@.service.in @@ -1,6 +1,7 @@ [Unit] Description=Initiate afm-user-setup %i -After=user@%i.service +After=user-runtime-dir@%i.service +Before=user@%i.service [Service] Type=oneshot StartLimitInterval=0 diff --git a/conf/system/user-runtime-dir@.service.wants/afm-user-setup@.service b/conf/system/user-runtime-dir@.service.wants/afm-user-setup@.service new file mode 120000 index 0000000..07fe155 --- /dev/null +++ b/conf/system/user-runtime-dir@.service.wants/afm-user-setup@.service @@ -0,0 +1 @@ +../afm-user-setup@.service
\ No newline at end of file diff --git a/conf/unit/afm-unit b/conf/unit/afm-unit index 2a91067..342a048 100644 --- a/conf/unit/afm-unit +++ b/conf/unit/afm-unit @@ -88,21 +88,39 @@ divert(0)dnl {{#targets}} ;------------------------------------------------------------------------------- include(service.inc) +IF_PERM(:partner:scope-platform) ;------------------------------------------------------------------------------- -;---- F O R E A C H P R O V I D E D A P I S ---- +;---- F O R E A C H P R O V I D E D A P I S (PLATFORM) ---- ;------------------------------------------------------------------------------- {{#provided-api}} {{#value=ws|auto}} -include(provided-api.inc) +include(provided-api-platform.inc) {{/value=ws|auto}} {{/provided-api}} ;------------------------------------------------------------------------------- -;---- F O R E A C H P R O V I D E D B I N D I N G ---- +;---- F O R E A C H P R O V I D E D B I N D I N G (PLATFORM) ---- ;------------------------------------------------------------------------------- {{#provided-binding}} -include(provided-binding.inc) +include(provided-binding-platform.inc) {{/provided-binding}} ;------------------------------------------------------------------------------- +ELSE +;------------------------------------------------------------------------------- +;---- F O R E A C H P R O V I D E D A P I S (USER) ---- +;------------------------------------------------------------------------------- +{{#provided-api}} +{{#value=ws|auto}} +include(provided-api-user.inc) +{{/value=ws|auto}} +{{/provided-api}} +;------------------------------------------------------------------------------- +;---- F O R E A C H P R O V I D E D B I N D I N G (USER) ---- +;------------------------------------------------------------------------------- +{{#provided-binding}} +include(provided-binding-user.inc) +{{/provided-binding}} +;------------------------------------------------------------------------------- +ENDIF {{/targets}} ;------------------------------------------------------------------------------- ; End of file afm-unit.conf mode ON_AGL_DEVEL(DEVEL, RELEASE) diff --git a/conf/unit/binder.inc b/conf/unit/binder.inc index 30c25d5..58f877f 100644 --- a/conf/unit/binder.inc +++ b/conf/unit/binder.inc @@ -12,7 +12,7 @@ Type=notify ExecStart=/usr/bin/afb-daemon \ --name afbd-TARGET \ --rootdir={{:#metadata.install-dir}} \ - --workdir=APP_DATA_DIR/{{id}} \ + --workdir=APP_WORK_DIR \ IF_AGL_DEVEL \ --verbose \ --verbose \ @@ -48,4 +48,4 @@ ENDIF \ {{/provided-api}} \ ON_CONTENT(text/html, --exec /usr/bin/web-runtime http://localhost:@p/{{content.src}}?token=@t) \ ON_CONTENT(application/vnd.agl.native, --exec {{:#metadata.install-dir}}/{{content.src}} @p @t) - +%nl diff --git a/conf/unit/macros.inc b/conf/unit/macros.inc index a764765..ca72b95 100644 --- a/conf/unit/macros.inc +++ b/conf/unit/macros.inc @@ -25,6 +25,7 @@ define( `PERM', `@afm_prefix@permission:$1') define( `REQPERM', `required-permission.PERM($1)') define( `ON_PERM', `MUSTACH_ON(REQPERM($1),$2,$3)') +define( `ON_NOT_PERM', `MUSTACH_ON(REQPERM($1),$3,$2)') define( `IF_PERM', `MUSTACH_IF(REQPERM($1))') define( `IF_NOT_PERM', `MUSTACH_IF_NOT(REQPERM($1))') @@ -43,21 +44,36 @@ define( `IF_NOT_VALUE', `MUSTACH_IF_NOT(value=$1)') -- use TARGET={{:id}}--{{:ver}}--{{:#target}} -- instead of TARGET={{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}} -------------------------------------------------------------------------------- +define( `SMACKLABEL', `User::App::{{:id}}') define( `TARGET', `{{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}}') define( `NEWTARGET', `{{:id}}--{{:ver}}--{{:#target}}') +define( `UNITSUFFIX', `ON_NOT_PERM(`:partner:scope-platform', `@%i')') define( `UNIT_NAME_BASE', `afm-ON_PERM(`:public:hidden', `service', `appli')-NEWTARGET') -define( `UNIT_NAME_SERVICE', `UNIT_NAME_BASE@%i.service') define( `UNIT_NAME_API_BASE', `afm-api-$1') -define( `UNIT_NAME_API_SERVICE', `UNIT_NAME_API_BASE($1)@$2.service') -define( `UNIT_NAME_API_SOCKET', `UNIT_NAME_API_BASE($1)@$2.socket') +define( `UNIT_NAME_API_SERVICE', `UNIT_NAME_API_BASE($1)UNITSUFFIX.service') +define( `UNIT_NAME_API_SOCKET', `UNIT_NAME_API_BASE($1)UNITSUFFIX.socket') define( `UNIT_NAME_BINDING_BASE', `afm-link-$1') -define( `UNIT_NAME_BINDING_SERVICE', `UNIT_NAME_BINDING_BASE($1)@$2.service') -define( `APP_DATA_DIR', `/home/%i/app-data') +define( `UNIT_NAME_BINDING_SERVICE', `UNIT_NAME_BINDING_BASE($1)UNITSUFFIX.service') + define( `USER_RUN_DIR', `@afm_users_rundir@/%i') define( `DEBUGGING_DIR', `@afm_platform_rundir@/debug') -define( `API_PATH', `USER_RUN_DIR/apis') +define( `PLATFORM_RUN_DIR', `@afm_platform_rundir@') + +define( `APP_DATA_DIR', `ON_PERM(`:partner:scope-platform', `/tmp', `/home/%i/app-data')') +define( `APP_WORK_DIR', `ON_PERM(`:partner:scope-platform', `/tmp', `APP_DATA_DIR/{{:id}}')') +define( `RUN_DIR', `ON_PERM(`:partner:scope-platform', `PLATFORM_RUN_DIR', `USER_RUN_DIR')') + +define( `API_PATH', `RUN_DIR/apis') define( `API_PATH_WS', `API_PATH/ws') define( `API_PATH_LINK', `API_PATH/link') + +define( `PLATFORM_API_PATH', `PLATFORM_RUN_DIR/apis') +define( `PLATFORM_API_PATH_WS', `PLATFORM_API_PATH/ws') +define( `PLATFORM_API_PATH_LINK', `PLATFORM_API_PATH/link') + +define( `USER_API_PATH', `USER_RUN_DIR/apis') +define( `USER_API_PATH_WS', `USER_API_PATH/ws') +define( `USER_API_PATH_LINK', `USER_API_PATH/link') -------------------------------------------------------------------------------- -- AGL_DEVEL SPECIFIC PARTS -------------------------------------------------------------------------------- @@ -65,3 +81,4 @@ define( `ON_AGL_DEVEL', `ifdef(`AGL_DEVEL', $1, $2)') define( `ON_NOT_AGL_DEVEL', `ifdef(`AGL_DEVEL', $2, $1)') define( `IF_AGL_DEVEL', `IF(ON_AGL_DEVEL(1,0))') define( `IF_NOT_AGL_DEVEL', `IF(ON_AGL_DEVEL(0,1))') +-------------------------------------------------------------------------------- diff --git a/conf/unit/provided-api-platform.inc b/conf/unit/provided-api-platform.inc new file mode 100644 index 0000000..d169d9a --- /dev/null +++ b/conf/unit/provided-api-platform.inc @@ -0,0 +1,85 @@ +dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4: +;------------------------------------------------------------------------------- +;---- T H E S E R V I C E O F T H E A P I (USER) ---- +;------------------------------------------------------------------------------- +%begin systemd-unit + +# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}} + +%systemd-unit system +%systemd-unit service UNIT_NAME_API_BASE({{name}})@ + +[Unit] +Description=Provides api {{name}} for user %i +X-AFM-API-TYPE={{value}} + +Requires=afm-user-setup@%i.service +After=afm-user-setup@%i.service + +Requires=UNIT_NAME_API_BASE({{name}}).socket +After=UNIT_NAME_API_BASE({{name}}).socket + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/true + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/ln -sf PLATFORM_API_PATH_WS/{{name}} USER_API_PATH_WS/{{name}} + +%end systemd-unit + +;------------------------------------------------------------------------------- +;---- T H E S E R V I C E O F T H E A P I (PLATFORM) ---- +;------------------------------------------------------------------------------- +%begin systemd-unit + +# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}} + +%systemd-unit system +%systemd-unit service UNIT_NAME_API_BASE({{name}}) + +[Unit] +Description=Provides api {{name}} for platform +X-AFM-API-TYPE={{value}} + +Requires=afm-system-setup.service +After=afm-system-setup.service + +Requires=UNIT_NAME_API_BASE({{name}}).socket +After=UNIT_NAME_API_BASE({{name}}).socket + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/true + +%end systemd-unit + +;------------------------------------------------------------------------------- +;---- T H E S O C K E T O F T H E A P I (PLATFORM) ---- +;------------------------------------------------------------------------------- + +%begin systemd-unit + +# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}} + +%systemd-unit system +%systemd-unit socket UNIT_NAME_API_BASE({{name}}) +[Unit] +Description=Provides websocket api {{name}} for platform +Requires=afm-system-setup.service +After=afm-system-setup.service +DefaultDependencies=no + +[Socket] +SmackLabel=* +SmackLabelIPIn=System +SmackLabelIPOut=System +ListenStream=PLATFORM_API_PATH_WS/{{name}} +FileDescriptorName={{name}} +Service=UNIT_NAME_BASE.service + +%end systemd-unit diff --git a/conf/unit/provided-api.inc b/conf/unit/provided-api-user.inc index bdee6c9..77478c8 100644 --- a/conf/unit/provided-api.inc +++ b/conf/unit/provided-api-user.inc @@ -46,11 +46,8 @@ DefaultDependencies=no SmackLabel=* SmackLabelIPIn=System SmackLabelIPOut=System -ListenStream=API_PATH_WS/{{name}} +ListenStream=USER_API_PATH_WS/{{name}} FileDescriptorName={{name}} -Service=UNIT_NAME_SERVICE +Service=UNIT_NAME_BASE@%i.service %end systemd-unit - - - diff --git a/conf/unit/provided-binding-platform.inc b/conf/unit/provided-binding-platform.inc new file mode 100644 index 0000000..375a636 --- /dev/null +++ b/conf/unit/provided-binding-platform.inc @@ -0,0 +1,48 @@ +dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4: +;------------------------------------------------------------------------------- +;---- T H E S E R V I C E O F T H E B I N D I N G (USER) ---- +;------------------------------------------------------------------------------- +%begin systemd-unit + +# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}} + +%systemd-unit system +%systemd-unit service UNIT_NAME_BINDING_BASE({{name}})@ + +[Unit] +Description=Provides binding {{name}} for user %i + +Requires=afm-user-setup@%i.service +After=afm-user-setup@%i.service +Requires=UNIT_NAME_BINDING_BASE({{name}}).service +After=UNIT_NAME_BINDING_BASE({{name}}).service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/ln -sf PLATFORM_API_PATH_LINK/{{name}} USER_API_PATH_LINK/{{name}} + +%end systemd-unit + +;------------------------------------------------------------------------------- +;---- T H E S E R V I C E O F T H E B I N D I N G (PLATFORM) ---- +;------------------------------------------------------------------------------- +%begin systemd-unit + +# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}} + +%systemd-unit system +%systemd-unit service UNIT_NAME_BINDING_BASE({{name}}) + +[Unit] +Description=Provides binding {{name}} for platform + +Requires=afm-system-setup.service +After=afm-system-setup.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} PLATFORM_API_PATH_LINK/{{name}} + +%end systemd-unit diff --git a/conf/unit/provided-binding.inc b/conf/unit/provided-binding-user.inc index 3737126..5a53735 100644 --- a/conf/unit/provided-binding.inc +++ b/conf/unit/provided-binding-user.inc @@ -18,8 +18,6 @@ After=afm-user-setup@%i.service [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} API_PATH_LINK/{{name}} +ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} USER_API_PATH_LINK/{{name}} %end systemd-unit - - diff --git a/conf/unit/service.inc b/conf/unit/service.inc index 88c1454..bebf25a 100644 --- a/conf/unit/service.inc +++ b/conf/unit/service.inc @@ -8,7 +8,11 @@ dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4: %nl %systemd-unit system +IF_PERM(:partner:scope-platform) +%systemd-unit service UNIT_NAME_BASE +ELSE %systemd-unit service UNIT_NAME_BASE@ +ENDIF [Unit] Description={{description}} @@ -29,12 +33,19 @@ X-AFM--target-name={{:#target}} X-AFM--content={{content.src}} X-AFM--type={{content.type}} X-AFM--wgtdir={{:#metadata.install-dir}} -X-AFM--workdir=APP_DATA_DIR/{{:id}} +X-AFM--workdir=APP_WORK_DIR X-AFM--visibility=ON_PERM(`:public:hidden', `hidden', `visible') %nl +IF_PERM(:partner:scope-platform) +X-AFM--scope=platform +After=afm-system-setup.service +ELSE +X-AFM--scope=user Requires=afm-user-session@%i.target After=user@%i.service +ENDIF + After=Network.target # Adds check to smack @@ -44,56 +55,71 @@ ConditionSecurity=smack # Automatic bound to required api {{#required-binding}} {{#value=extern}} -BindsTo=UNIT_NAME_BINDING_SERVICE({{name}},%i) -After=UNIT_NAME_BINDING_SERVICE({{name}},%i) +BindsTo=UNIT_NAME_BINDING_SERVICE({{name}}) +After=UNIT_NAME_BINDING_SERVICE({{name}}) {{/value=extern}} {{/required-binding}} + {{#required-api}} {{#value=auto|ws}} -BindsTo=UNIT_NAME_API_SERVICE({{name}},%i) -After=UNIT_NAME_API_SERVICE({{name}},%i) +BindsTo=UNIT_NAME_API_SERVICE({{name}}) +After=UNIT_NAME_API_SERVICE({{name}}) {{/value=auto|ws}} {{/required-api}} + {{#provided-api}} {{#value=ws|auto}} -Requires=UNIT_NAME_API_SOCKET({{name}},%i) -After=UNIT_NAME_API_SOCKET({{name}},%i) +Requires=UNIT_NAME_API_SOCKET({{name}}) +After=UNIT_NAME_API_SOCKET({{name}}) {{/value=ws|auto}} {{/provided-api}} %nl [Service] + EnvironmentFile=-@afm_confdir@/unit.env.d/* EnvironmentFile=-@afm_confdir@/widget.env.d/{{:id}}/* -SmackProcessLabel=User::App::{{:id}} +SmackProcessLabel=SMACKLABEL SuccessExitStatus=0 SIGKILL - +UMask=0077 + +IF_PERM(:partner:scope-platform) +#DynamicUser=true +User=daemon +Group=nobody +Slice=platform.slice +ELSE User=%i Slice=user-%i.slice - +WorkingDirectory=-APP_WORK_DIR +ExecStartPre=/bin/mkdir -p APP_WORK_DIR +Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=USER_RUN_DIR/bus +ENDIF +IF_PERM(:system:capability:keep-all) +CapabilityBoundingSet=~ +AmbientCapabilities=~ +ELSE CapabilityBoundingSet= -#AmbientCapabilities= +ENDIF ON_PERM(:platform:no-oom, OOMScoreAdjust=-500) ON_PERM(:partner:real-time, IOSchedulingClass=realtime) ON_PERM(:public:display, SupplementaryGroups=display) -ON_PERM(:public:syscall:clock, , SystemCallFilter=~@clock) +ON_PERM(:public:audio, SupplementaryGroups=audio) +ON_NOT_PERM(:public:syscall:clock, SystemCallFilter=~@clock) %nl -WorkingDirectory=-APP_DATA_DIR/{{:id}} -ExecStartPre=/bin/mkdir -p APP_DATA_DIR/{{:id}} Environment=AFM_ID=TARGET Environment=AFM_APP_INSTALL_DIR={{:#metadata.install-dir}} -Environment=AFM_WORKDIR=APP_DATA_DIR/{{:id}} +Environment=AFM_WORKDIR=APP_WORK_DIR Environment=AFM_WSAPI_DIR=API_PATH_WS Environment=PATH=/usr/sbin:/usr/bin:/sbin:/bin:{{:#metadata.install-dir}}/bin Environment=LD_LIBRARY_PATH={{:#metadata.install-dir}}/lib -Environment=XDG_DATA_HOME=APP_DATA_DIR/{{:id}} -Environment=XDG_CONFIG_HOME=APP_DATA_DIR/{{:id}} -Environment=XDG_CACHE_HOME=APP_DATA_DIR/{{:id}} -Environment=XDG_RUNTIME_DIR=USER_RUN_DIR -Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=USER_RUN_DIR/bus +Environment=XDG_DATA_HOME=APP_WORK_DIR +Environment=XDG_CONFIG_HOME=APP_WORK_DIR +Environment=XDG_CACHE_HOME=APP_WORK_DIR +Environment=XDG_RUNTIME_DIR=RUN_DIR IF_AGL_DEVEL ; Needed to enable debug @@ -124,9 +150,14 @@ IF_PERM(:system:run-by-default) ; auto start ;------------------------------------------------------------------------------- [Install] +IF_PERM(:partner:scope-platform) +WantedBy=multi-user.target +%systemd-unit wanted-by multi-user.target +ELSE WantedBy=afm-user-session@.target %systemd-unit wanted-by afm-user-session@.target ENDIF +ENDIF %end systemd-unit diff --git a/docs/3-permissions.md b/docs/3-permissions.md index 957478e..fa65c5d 100644 --- a/docs/3-permissions.md +++ b/docs/3-permissions.md @@ -90,7 +90,7 @@ attachment of value to permission. ## Example of permissions Here is a list of some possible permissions. -These permissions are available the 17th of March 2017. +These permissions are available the 21th of May 2019. - urn:AGL:permission::platform:no-oom Set OOMScoreAdjust=-500 to keep the out-of-memory @@ -117,6 +117,12 @@ These permissions are available the 17th of March 2017. Forbids services to provide its API through D-Bus. - urn:AGL:permission::system:run-by-default Starts automatically the application. Example: home-screen. +- urn:AGL:permission::partner:scope-platform + Install the service at the scope of the platform. +- urn:AGL:permission::system:capability:keep-all + Keep all capabilities for the service. Note that implementing + that permission is not mandatory or can be adapted for the given + system. - <http://tizen.org/privilege/internal/dbus> Permission to use D-Bus. |